Day 1 - Friday

August 9, 2019

10:00-11:00

KEYNOTE

"The Abridged History of Application Security"

Application Security began in the early 60's where plain text password storage, no password policy, poor access control and other massive security problems were the norm. This talk with review the history of application security to help illustrate not just how much application security has gotten better, but also how the rate of positive change has been getting better as well. This fun ride through the history of application security is meant to inspire those who work in the industry. We are often looking closely at failure and insecurity, but when we step back and look at our industry historically, we can all see just how much things truly are getting better.

Jim Manico

11:30-12:15

"Automate Pen-Testing in Dockerized CI/CD Environment"

Speed is vital in startups, and fast moving CI/CD pipelines are the norm in startups. Dynamic application security testing (DAST) can take advantage of the speed, automate along the CI/CD pipelines, and enable developers to fix issues while vulnerabilities are in development phase. In order to be integrate seamlessly with CI/CD pipelines, DAST tools should be ready to be deployed as code, integrate with a modern build system, and be able to provide instant feedback. Existing commercial DAST tools generally do not have such capabilities. In this presentation, we discuss how we dockerized Headless Burp, deployed the Headless Burp as code, so that it can be integrated with Selenium tests on demand.

YanYan Wang

12:30-13:15

"Crypto Failures- and how to avoid them"

Crypto used to mean cryptography - and in the realm of mathematics. Nowadays, everyone wants some crypto for their security schemes. But sometimes people forget is that crypto is hard - and trusting your own crypto is very risky if you don't actually have cryptographers in your team!

In this talk, we will review some common crypto failures and how they led to some of the biggest issues we've seen in recent years and conclude with some concrete advice on how to avoid such mistakes, and more importantly where to get advice.

Guy Barnhart-Magen

13:30-13:50

"Purple Team Strategies for Application Security"

Purple Team testing, or the active collaboration of offensive and defensive staff during penetration tests, can help organizations address their most immediate security threats, increase the accuracy of testing, and create a feedback loop where both teams contribute to the success of the other. Typical Dynamic Application Security Testing (DAST) does not lend itself well to Purple Team practices. This talk covers the basics of conventional Purple Team exercises, the ways that application testing environments and tools often differ from penetration testing, and how application defenders and breakers can adapt to those differences to enable each other in an integrated fashion.

For defenders, learn how your insights into the overall environment and risks, knowledge of security controls, and the state of and output from applications being tested can lead to better, faster, and more actionable application security tests. For breakers, learn how to help defenders better recognize threats in logs and alerting systems and increase their ability to spot, stop, and mitigate real-world attacks. Both sides can benefit from fewer missed opportunities to work together to increase the security of their organization while reducing the friction that the often adversarial nature of security testing creates.

Joe Schottman

14:00-14:45

"Vulnerabilities that Hide from Your Tools"

Over the past few years, AppSec professionals have become increasingly reliant on automation. While it's fine to use tools to do the work that you just don't have the time for, there are many vulnerabilities that automated tools can't detect. In this talk, we'll discuss methodologies for finding those hidden vulnerabilities so you can sleep a little better at night.

Jillian Ratliff

15:00-15:45

"huskyCI: Finding Security Flaws in CI Before Deploying Them"

Unfortunately, in large organizations, it becomes very challenging for the security team to review and track all the commits and deploys that occur in all the company's products. To circumvent this problem, I developed a tool in Go to automate security testing within the Continuous Integration pipelines called huskyCI.

Rafael Santos

16:00-16:45

"How bad could it be? Inside Law Enforcement and Local.gov AppSec"

There are over 17,000 police agencies and 38,000 local governments in the US. They all use software to track your taxes, handle 911 calls, and and store reports documenting the worst days of citizens' lives. AppSec is damn important, but most agencies are lucky to have an IT department, let alone anyone looking after security.

The apps in LE and Local.gov are generally hidden from scrutiny. When the end-users don't have the resources to dig into what happens under the hood, what sort of flaws sneak into those products? This talk will take you behind the curtain and show you the gnarly stuff your tax dollars paid for, vulns found and fixed, and how you can help make things better.

Anthony Kava

Day 2 - Saturday

August 10, 2019

10:00-11:00

KEYNOTE

"Purple is the New Black- Modern Approaches to Application Security"

Gone are the days when breaches were rare and security could safely be put low on the priority list; product security is now a customer demand and cyber crime has reached epic proportions. Our idolization of hackers, penetration testing and ‘breaking’ has not resulted in secure software for our industry, only egos, stereotypes and unaffordable security models. Modern application security approaches need to address both offensive (red team) and defensive (blue team) approaches, as well as continuous learning and advocacy for developers. This means Purple Team. This talk will explore how to combine defence, offence, automation, empathy and continuous learning, all without the requirement of ever wearing a hoodie. The future of security is PURPLE.

Tanya Janca

11:30-12:15

PANEL "Let’s All Get Technical and Hunt Harder"

Abstract: Every security tester has some sort of methodology and toolset they use. This ""secret sauce"" is the essence of good security research. This panel is about disclosing those secrets. We will talk through successful tools and techniques used, what we focus on, and why. Followed by topics such as advents in tooling, approaches to different types of applications, reconnaissance, vulnerability trends in bounty, and more. Attendees will leave this presentation with knowledge of practical recommendations for hacking methodologies, tools, and tips to better hack. Along with hearing about vulnerabilities commonly seen as edge cases that have been present on heavily tested sites, and what are the upcoming challenges in the space.

This talk focuses on the current and future of bounty hunting and web hacks that bug hunters or penetration testers can be knowledgeable of what the various environment trends. We will be going over the changes to the web attack landscape and how web hackers, can better find bugs in the web applications that are currently being developed.

Alyssa Herrera, STÖK, Corben Leo, Chloé Messdaghi (Moderator)

12:30-13:15

"0day Hunting and RCE Exploitation in Web Applications"

I will give brief and logical answers How to find Remote Command Execution vulnerability? and How to exploit discovered vulnerability with Metasploit? in web applications. In answering these questions, I will show you my special exploits, "Webmin Unauthenticated RCE" and "ManageEngine Unauthenticated RCE" which I have not published yet. I will public these critical vulnerabilities in Defcon App-Sec Village.

Özkan M. Akkus

13:30-13:50

"An Introduction To Application Security Threat Modeling"

Threat modeling is something we instinctively already know how to do. If I asked you to help me threat model a camping trip to a park with bears, you could jump right in. You can do that even though you may have never been camping near bears. You are able to build a mental threat model: put up the food, bring bear spray, and you know… maybe just stay in a hotel with decent wifi.

We should but often don't pivot that same mind frame to the building of a threat model for your application security program. In this introductory talk, we will discuss how to start a formal threat modeling program at your company, building a threat model, and how to keep improving your model.

Jerry Gamblin

14:00-18:00

WORKSHOP "The OWASP Top Ten for Developers- Secure Coding Seminar"

Student Requirements: Familiarity with the technical details of building web applications and web services from a software engineering point of view.

Laptop Requirements: This seminar will be mostly lecture and demonstration. A laptop is not required but might be useful to take notes.

Description: The major cause of webservice and web application insecurity is insecure software development practices. This highly intensive and interactive 4-hour seminar will provide essential application security training for web application and webservice developers and architects.

The class is a combination of lecture, security testing demonstration and code review. Students will learn the most common threats against applications. More importantly, students will learn how to code secure web and API solutions via defense-based code samples.

Jim Manico

Day 3 - Sunday

August 11, 2019

09:30-09:50

"Shifting the DevSecOps Culture, Taking away the sugar piece and giving the pile to ants"

We have been talking about the technical angle of DevSecOps. How do I go about building the DevSecOps culture in the organisation? So far Generally corporates are trying to have all three Plays and teams Dev, Sec and Ops team together. However, the Ideal DevSecOps idea is each individual should know what is happening in the whole process. If person or team has issues/concern, then anyone can stand-up and take the DevSecOps further. Instead of giving the sugar cube to the individuals give them the who Pile of sugar to the Ants (aka teams), incase something fails the other teams can balance the situation or stand up for each other.

This talk will portray Call to action from different teams. What should a Developer should do, what a security and Operations person should do? How to bring the teams to work together. Example – Earlier security teams used to sit in a room alone. Now security team sits with operations and Dev teams.

Vandana Verma Sehgal

10:00-10:20

"History of the worst Android app ever: mAadhaar"

Beginning of 2018, I analysed the official Android app of an Indian governmental program called Aadhaar. Aadhaar is a 12-digit unique identity number that can be obtained by residents of India, based on their biometric and demographic data. With 1.234 billion holders, Aadhaar is the biggest identification program of the world.

The surprise was huge when I discovered multiple vulnerability in this application used by millions of people.

From the analyse of the app, the description of the vulnerabilities, the attempt of responsible disclosure to the Indian Government, to the media impact of this work, this presentation gives the full story of this incredible journey.

fs0c131y

10:30-10:50

"Exploiting and Securing iOS Apps using OWASP iGoat"

Is your product or application has a mobile app? Do you use any of AWS services? Are your product security engineers working on mobile application security? Looking for information about the importance of mobile app security? If your answer is yes to any of these questions then this talk is for you!

This talk will discuss recent case studies of critical findings in mobile apps and also help to adopt skills required to perform penetration testing / security audit of iOS applications using free an open source tool - OWASP iGoat.

Swaroop Yermalkar

11:00-13:00

WORKSHOP "Offensive Python: Custom Scripts for Pentests"

In this workshop, we'll write custom Python scripts to automate and augment penetration testing. Learn the basics of port scanning, crafting custom packets, and building your own exploits in Python.

We will work through examples using a Jupyter Notebook, which you can make a copy of to play around with after the conference. (To get the most out of this class, you should already have some basic programming experience in Python or a similar programming language like Ruby.)

Fletcher Heisler

14:00-16:00

WORKSHOP "Exploiting Bad Crypto Found in the Wild!"

In this workshop you will learn to exploit a few examples of poorly implemented cryptography found in real-world penetration tests and reverse engineered into CTF-style challenges. The hand-picked exercises will take you on a trip from bad credential storage mechanisms that allow "hash" decryption to epic failures in ransomware design which allowed full decryption of encrypted files. By the end of the workshop, you will be able to recognize some instances of insecure crypto and exploit them for fun and profit!